Security Issues with ASP.Net

Need some advice on some of the security issues in my ASP.Net application.
There are certain tasks that I need to implement so need advice/guidance on
them as well as safeguards that I should implement. The application would
be typically running on Windows Server 2003 with IIS6 with .Net framework
1.1

1. My application saves its settings to the registry. I know that by
default the Aspnet user does not have rights to edit the registry. My
Workaround is that I changed the user in processmodel from "machine" to
"SYSTEM" in the machine.config file. Also in case of 2003 Server, I have to
explicitly grant full rights to the aspnet user to the registry.

Somehow I feel that this solution is not a good one and has the potential
for making the web server unsafe. Any other solutions/workarounds for this
problem?

2. My application needs to read/write/create directories from the file
system on the webserver. I have to explicitly grant the aspnet user full
access to the directories in question. Any other elegant solution to this
issue?

Also, in Windows Server 2003, this does not work if the directory is located
inside the "Program Files" directory. Does not work even when the aspnet
user is added to the Administrators group. Why could this be happening?

Advertisements

Most executable programs you run use the local System account to run.
ASP.Net is no different. There is no Security risk unless some hostile
person can somehow take control of your ASP.Net app. The aspnet user account
is more useful if you are, for example, a hosting service, and of course,
you don't want to grant blanket access to the entire machine to all of your
hosting clients.
--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developerhttp://www.takempis.com
Big things are made up of
lots of little things.

"Sanjay Poojari" <> wrote in message
news:%...
> Hi All,
>
> Need some advice on some of the security issues in my ASP.Net application.
> There are certain tasks that I need to implement so need advice/guidance
on
> them as well as safeguards that I should implement. The application would
> be typically running on Windows Server 2003 with IIS6 with .Net framework
> 1.1
>
> 1. My application saves its settings to the registry. I know that by
> default the Aspnet user does not have rights to edit the registry. My
> Workaround is that I changed the user in processmodel from "machine" to
> "SYSTEM" in the machine.config file. Also in case of 2003 Server, I have
to
> explicitly grant full rights to the aspnet user to the registry.
>
> Somehow I feel that this solution is not a good one and has the potential
> for making the web server unsafe. Any other solutions/workarounds for
this
> problem?
>
> 2. My application needs to read/write/create directories from the file
> system on the webserver. I have to explicitly grant the aspnet user full
> access to the directories in question. Any other elegant solution to this
> issue?
>
> Also, in Windows Server 2003, this does not work if the directory is
located
> inside the "Program Files" directory. Does not work even when the aspnet
> user is added to the Administrators group. Why could this be happening?
>
> Any suggestions/pointers would be appreciated.
>
> Thanks in advance,
> Sanjay
>
>

Share This Page

Welcome to The Coding Forums!

Welcome to the Coding Forums, the place to chat about anything related to programming and coding languages.

Please join our friendly community by clicking the button below - it only takes a few seconds and is totally free. You'll be able to ask questions about coding or chat with the community and help others.
Sign up now!